Cyber News Roundup for September 27, 2024

In today’s digital world, cyber threats are growing fast, and both skilled state-backed hackers and less sophisticated attackers are going after critical systems around the globe. From Russia’s Gamaredon group stepping up its cyber spying against Ukraine, to new vulnerabilities that allow hackers to remotely control everyday systems like Kia vehicles, the risks are more diverse and widespread than ever.

Recent events underline the need for taking proactive steps, whether it’s securing critical infrastructure like Kansas’ water systems or tackling malware that can get around two-factor authentication (2FA). With cyber campaigns like Salt Typhoon targeting U.S. broadband providers, and the CrowdStrike outage catching attention, organizations need to stay on their toes and keep up with the changing threat landscape.

As the risks grow, it’s a good time for businesses and governments to rethink their defenses and stay ahead of these evolving threats.

 

Russia’s Gamaredon remains highly active against Ukraine

ESET has published a report on the toolset used by the Russian threat actor Gamaredon to target Ukraine over the past two years. The researchers note that Gamaredon “is currently the most engaged APT group in Ukraine,” primarily conducting cyberespionage against Ukrainian government entities. The Security Service of Ukraine has attributed the threat actor to the FSB’s 18th Center of Information Security, based in Crimea.

ESET states, “In general, we can categorize Gamaredon’s toolset into downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. The group uses a combination of general-purpose and dedicated downloaders to deliver payloads. Droppers are used to deliver various VBScript payloads; weaponizers alter properties of existing files or create new files on connected USB drives, and stealers exfiltrate specific files from the file system. Additionally, backdoors serve as remote shells, and ad hoc tools perform specific functions, like a reverse SOCKS proxy or payload delivery using the legitimate command line program rclone.” (ESET)

Web vulnerability exposed Kia vehicles to hacks

A group of researchers today disclosed a vulnerability in a Kia web portal that could give an attacker remote control over vehicle functions using only a license plate number, WIRED reports. The attacker could exploit the flaw to reassign themselves as an owner of a vehicle, allowing them to unlock the car, start its ignition, or passively track its location. The researchers note, “These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.” WIRED says Kia appears to have patched the flaw. (Sam Curry, Wired)

 

NIST drops password complexity, mandatory reset rules

In the second public draft version of its password guidelines, the National Institute of Standards and Technology is making two changes. The first is that credential service providers stop requiring that users set passwords that use specific types or characters, and the second is to stop mandating periodic password changes (commonly every 60 or 90 days). This first suggestion actually paves the way for longer passwords of between 15 and 64 characters and that they include ASCII and Unicode characters. The second supports the idea that password resets should only occur in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords. (Dark Reading)

 

CISA speaks out regarding Kansas water incident

Following up on a story we covered on Wednesday regarding the cybersecurity issue at the water treatment facility in Arkansas City, Kansas, CISA released a new advisory yesterday, Thursday, as a reminder that “exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.” The agency urged operators to apply its previously released recommendations to defend their systems. (The Record)

 

Hackers claim a Chrome 2FA feature bypass takes less than ten minutes

Google introduced application-bound encryption in Chrome 127 for Windows to prevent cookie-stealing hackers from bypassing two-factor authentication (2FA) using infostealer malware. This security feature ties encrypted data to app identity, making it harder for hackers to access sensitive information. However, multiple infostealer malware developers, including those behind Lumma, Vidar, and Rhadamanthys, claim to have quickly bypassed this new protection. Reports from Bleeping Computer confirm that these malware updates can break Chrome’s cookie encryption, effectively rendering 2FA protections useless. Once attackers steal session cookies, they can bypass authentication and gain full access to users’ accounts and sensitive data. (Forbes)

 

CrowdStrike VP testifies before Congress

Adam Meyers, vice president for counter-adversary operations at CrowdStrike, appeared before a US congressional committee yesterday to address questions about the global outage caused by a faulty CrowdStrike update in July, Infosecurity Magazine reports. The outage was due to a mismatch between input parameters and the rules engine in CrowdStrike’s Falcon sensors, triggering “blue screen of death” errors on all Windows machines that installed the update. Meyers stated, “On July 19, 2024, new threat detection configurations were validated through regular validation procedures and sent to sensors running on Microsoft Windows devices. However, the configurations were not understood by the Falcon sensor’s rules engine, leading affected sensors to malfunction until the problematic configurations were replaced.” Meyers apologized for the disruption and outlined measures taken to prevent future incidents, including enhanced validation and testing processes, phased rollouts of updates, and added runtime safeguards. (Infosecurity Magazine)

 

Salt Typhoon strikes US ISPs

The Wall Street Journal’s sources say US investigators discovered a cyberattack campaign from a Chinese-linked threat actor dubbed Salt Typhoon. This campaign sought to establish footholds in several US-based cable and broadband providers. It’s unclear if the goal was simply reconnaissance or a potential staging for further cyberattacks. It’s been a busy year for China-linked threat groups operating under a “Typhoon” epithet. In January, the US disrupted operations by Volt Typhoon against critical infrastructure, and just last week, a Flax Typhoon botnet was disrupted. US officials frequently warn that due to the depth and frequency of China-linked cyberattacks, these campaigns likely represent the “tip of the iceberg.” (WSJ)

 

“Unsophisticated methods” used against industrial systems

Not all cyberattacks need the advanced capabilities of nation-states behind them. CISA warned that threat actors continue to target critical infrastructure OT and ICS devices with “unsophisticated” methods. This includes using default credentials or brute force attacks. The agency said it “continues to respond to active exploitation of internet-accessible” devices, particularly citing the Water and Wastewater Systems Sector being hit by pro-Russian hacktivists since 2022. CISA issued an advisory back in May on securing against these basic attacks, recommending changing default passwords, enabling MFA, applying security updates, and putting human-machine interfaces behind firewalls. (Bleeping Computer)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.